PT-2026-55480 · Jpeg-Xl · Jpeg-Xl
Published
2026-05-29
·
Updated
2026-07-02
·
CVE-2026-52834
CVSS v3.1
7.3
High
| Vector | AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:H |
Name of the Vulnerable Software and Affected Versions
// The product name cannot be determined. (affected versions not specified)
Description
On 32-bit platforms, decoding a crafted JPEG XL image can lead to out-of-bounds writes due to an integer overflow during length calculation, potentially allowing arbitrary code execution. This occurs when the
AlignedGrid::with alloc tracker() function computes width * height without proper checks, resulting in a backing buffer that is too small for the logical dimensions. This can be triggered by a frame with huge actual dimensions that exceeds the usize element count on 32-bit systems, or by a combination of a huge canvas and a tiny cropped frame during composition in the render frame() function.Recommendations
At the moment, there is no information about a newer version that contains a fix for this vulnerability.
Integer Overflow
Heap Based Buffer Overflow
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Jpeg-Xl